Privacy Policy

Last updated: May 11, 2026 · Effective immediately

This policy explains what Stax ("we", "us") collects, how we use it, and your rights. It applies to the marketing site, the waitlist, and (when launched) the product dashboard.

1. What we collect

From the waitlist form

Your email address (required).
Your monthly AI spend bucket, if you provide it (optional).
A free-text note about your AI cost pain points, if you provide it (optional).
Referrer source, IP address, and user-agent string for spam prevention and analytics.

From the product (when launched)

Account info: email, name, workspace name, billing details (handled by Stripe, not stored by us).
API keys and OAuth tokens for AI providers you connect — encrypted at rest, used only to fetch your billing/usage data.
Usage metadata pulled from provider billing endpoints (dollar amounts, dates, model names, request counts).
We do not read your prompts, completions, or any content of your AI requests. The product reads invoice and usage metadata only.

From your browser

Aggregate page-view stats via Cloudflare Web Analytics — no cookies, no cross-site tracking.

2. How we use it

To notify you when product access opens.
To shape what we build — your pain-point notes directly influence the roadmap.
To deliver the product (sync your usage, send alerts, generate exports).
To process billing through Stripe.
To protect against abuse (rate limiting, spam detection).

3. Who we share with

We share data only with sub-processors needed to deliver the service:

Cloudflare — site hosting, database, edge functions.
Stripe — payment processing (we never see your card number).
Resend — transactional email delivery.

We do not sell your data. We do not share it with advertisers. We do not use it to train any model.

4. How long we keep it

Waitlist entries: until you ask us to delete them or until 24 months after the last interaction, whichever comes first.
Account data: for the life of your account plus 90 days after cancellation.
Provider usage data: 12 months rolling on the Pro plan; per your retention setting otherwise.

5. Your rights

You can request a copy of your data, correction of inaccurate data, or deletion of all data tied to your email. Email [email protected]. We respond within 30 days.

If you're in the EU/UK, you have rights under GDPR. If you're in California, you have rights under CCPA. We honor both for all users regardless of location.

6. Security

API keys and OAuth tokens are encrypted at rest using AES-256. All connections are over TLS 1.3. We log access to encrypted credentials for audit purposes. We are working toward SOC 2 Type II certification.

If you discover a security issue, please email [email protected]. We respond within one business day.

7. Cookies

The marketing site uses no cookies. The product dashboard (when launched) will use a single first-party session cookie for authentication. No third-party tracking cookies.

8. Changes to this policy

If we make material changes, we'll email everyone on the waitlist and every active account holder at least 14 days before the change takes effect.

9. Contact

Privacy questions: [email protected]
Mailing address: Stax, Inc., Gainesville, GA, USA.